View a markdown version of this page

CreateOAuth2PublicClient - AWS Sign-In

CreateOAuth2PublicClient

Dynamically registers an OAuth 2.0 public client for use with AWS Sign-In.

Implements RFC 7591 (OAuth 2.0 Dynamic Client Registration) for MCP-compatible agents. Only redirect URIs matching the allowlisted patterns are accepted during registration.

Registered clients receive an ARN in the format arn:aws:signin:{region}::external-client/dcr/{uuid}. Client registrations have a 90-day lifetime.

Request Syntax

POST /v1/register HTTP/1.1 Content-type: application/json { "grant_types": [ "string" ], "redirect_uris": [ "string" ], "response_types": [ "string" ], "token_endpoint_auth_method": "string" }

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

grant_types

The grant types that this client will use. Supported values: authorization_code, refresh_token. Defaults to both if omitted. The client_credentials grant type is not supported. The refresh_token grant type cannot be specified alone without authorization_code.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 5 items.

Required: No

redirect_uris

The redirect URIs that this client will use for OAuth callbacks. Only redirect URIs matching the allowlisted patterns are accepted. Maximum of 10 URIs.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 10 items.

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

response_types

The response types that this client will use. Only code is supported. Defaults to ["code"] if omitted.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 5 items.

Required: No

token_endpoint_auth_method

The client authentication method for the token endpoint. Only none is supported (public clients). Defaults to none if omitted.

Type: String

Pattern: none

Required: No

Response Syntax

HTTP/1.1 200 Content-type: application/json { "client_id": "string", "client_id_issued_at": number, "grant_types": [ "string" ], "redirect_uris": [ "string" ], "response_types": [ "string" ], "token_endpoint_auth_method": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

client_id

The unique client identifier (ARN) assigned to this client. Format: arn:aws:signin:{region}::external-client/dcr/{uuid}.

Type: String

client_id_issued_at

The time at which the client identifier was issued, as a NumericDate (Unix epoch seconds).

Type: Long

grant_types

The grant types registered for this client.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 5 items.

redirect_uris

The redirect URIs registered for this client.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 10 items.

Length Constraints: Minimum length of 1. Maximum length of 2048.

response_types

The response types registered for this client.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 5 items.

token_endpoint_auth_method

The client authentication method. Always none for public clients.

Type: String

Pattern: none

Errors

For information about the errors that are common to all actions, see Common Error Types.

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400

InternalServerException

The request processing has failed because of an unknown error, exception or failure with an internal server.

HTTP Status Code: 500

TooManyRequestsError

Indicates that the principal has exceeded the limit of requests to this API operation.

HTTP Status Code: 429

ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: